Financial institutions should implement written policies and procedures to ensure that a hard drive or flash memory containing sensitive information is erased, encrypted or destroyed prior to the device being returned to the leasing company, sold or otherwise disposed of.

This guidance describes the risk posed by sensitive information stored on certain electronic devices and how institutions should mitigate that risk.

Risk

Photocopiers, fax machines and printers may contain a hard drive or flash memory that stores digital images of the documents that are copied, transmitted or printed by the device. Financial institutions use these devices regularly to process loans and other financial transactions on behalf of their customers. Loan documents and other business documents often contain sensitive and confidential information concerning financial institution customers.

Many financial institutions lease photocopiers, fax machines and printers for a set period of time. At the end of the lease period, the devices are returned to the leasing company and either sold or leased again. Anyone who takes subsequent possession of a device that was used by a financial institution may be able to access the hard drive or flash memory and view digital images of the documents that were processed by the device, thus giving them access to sensitive personal and business information concerning the institution's customers.

Controls

Financial institutions should be aware of the risks posed by the potential disclosure of sensitive customer information stored on the hard drive or flash memory of photocopiers, fax machines and printers used by the institution. Financial institutions should implement written policies and procedures to identify devices that store digital images of business documents and ensure their hard drive or flash memory is erased, encrypted or destroyed prior to being returned to the leasing company, sold to a third party or otherwise disposed of. If the institution chooses to erase or encrypt the hard drive, the method used should be sufficiently robust to render the information on the disk unrecoverable. Examiners may ask to review such policies and procedures and verify that they have been effectively implemented.

Further Information

For further information, contact Jeffrey Kopchik, Senior Policy Analyst, at (202)-898-3872 or jkopchik@fdic.gov.